PHP 基础 - 在哪里存储 PHP 使用的 MySQL 密码
我是 Web 开发的新手,我正在学习 PHP,以便出售一些二进制文件(共享 Linux 主机).该网站尚未上线.
I am new to web development and I'm learning PHP in order to sell a few binary files (shared Linux host). The site is not yet live.
我的 php 脚本(50% 借用代码,50% 自己编写,95% 完全理解)登录 MySQL 读取待售物品,并将销售交易数据写入另一个表.Functions.php 位于 webroot 的子文件夹中,包含 MySQL 的登录名和密码.
My php scripts (50% borrowed code, 50% self-written, 95% fully understood) login to MySQL to READ the items for sale, and WRITE sale transaction data into another table. Functions.php, located in a subfolder of the webroot, contains the login name and password for MySQL.
第一季度.这对我来说似乎并不安全.应该如何存储登录名/密码信息以便脚本可以访问它?如果functions.php 存储在webroot 之外,那么位于webroot #include (PHP "require_once") 中的.php 文件可以吗?(我确实尝试过一次,但我的脚本以一种似乎与权限相关的方式崩溃了——如果我知道它应该工作,我会继续努力)
Q1. This doesn't seem secure to me. How should the login/password info be stored so the scripts can access it? If functions.php was stored outside the webroot, could the .php files located in webroot #include (PHP "require_once") it? (I did try this once and my scripts broke in a way that seemed permissions-related -- if I knew it should work I'd keep plugging away at it)
第 2 季度.我不确定在哪里存储购买者可以下载的二进制文件.如果我只是将它们存储在 webroot 的子文件夹中,精明的用户可以以某种方式找到/下载它们(无需付费)是否正确?是否可以使用 .htaccess 文件来阻止访问 webroot 中的二进制文件"文件夹?黑帽黑客可以访问/修改 .htaccess 文件吗?
Q2. I am unsure where to store the binaries that purchasers can download. Is it correct that savvy users can somehow find / download them (without paying) if I just store them in a subfolder of the webroot? Is it possible to use a .htaccess file to block access to the "binaries" folder within the webroot? Can black-hats get at / modify a .htaccess file?
第三季度.将二进制文件(最大 = 4Mb)存储在 MySQL 表中并在每次下载之前将它们从那里复制到 webroot 中的临时文件,然后删除会更好吗?
Q3. Would it be a better idea to store the binaries (max=4Mb) in a MySQL table and copy them from there to a temp file in webroot before each download, then delete?
第四季度.谁能推荐一组管理这类事情的脚本,我可以查看/修改而不是重新发明轮子?
Q4. Can anyone recommend a set of scripts that manages this sort of thing that I could review / modify rather than reinventing the wheel?
谢谢
推荐答案
不确定是否是最佳实践,但我会这样做:
Not sure if best practice, but this is how I'd approach it:
问题 1:我将 MySQL 登录信息以及本地路径和其他设置存储在 Web 根目录之外的 config.inc.php
文件中.然后我可以在每个脚本的开头包含它.我还使用了一个 database.inc.php
,它连接到 MySQL 并选择数据库(加上一些数据库函数).从理论上讲,它在 web 根目录中并不是不安全的,因为直接调用只会执行 PHP,而不显示它的内容.然而,存储 XML 配置或类似配置是不同的!
Q1: I store MySQL login information, along with local paths and other settings, in a config.inc.php
file outside of the web root. I can then include that at the start of each script. I also use a database.inc.php
which connects to MySQL and selects the database (plus a few database functions). In theory it isn't insecure inside the web root as being called directly will only execute the PHP, not display the contents of it. Storing an XML config or similar is different however!
问题 2:如果可下载的二进制文件存储在 Web 根目录中,那么如果发现正确的 URL,则可以下载它们.相反,它们应该存储在 Web 根目录之外,如果请求满足正确的条件,则 PHP网关"脚本会提供这些文件的内容.您可能希望在每次购买时在数据库中存储一个令牌,并且只允许有效的令牌下载文件.下载脚本的一个例子是这里.
Q2: If downloadable binaries are stored within the web root then they could be downloaded if the right URL is discovered. Instead they should be stored outside the web root, and a PHP "gateway" script serves the contents of those files if the request meets the right conditions. You may want to store a token with each purchase in your database, and only valid tokens are permitted to download the files. An example of a download script is here.
Q3:我认为使用文件系统来存储文件比使用数据库更好.如果这就是你的意思,它不会提高我对 Q2 的回答的安全性.
Q3: I believe it's better to use the file system to store files, rather than a database. It won't improve security over my answer to Q2 if that's what you mean.
Q4:您可以尝试使用现有的购物车软件.Magento 支持可下载的产品.
Q4: You could try existing shopping cart software. Magento supports downloadable products.
希望有帮助
相关文章